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Abstract 

Description Logic Knowledge and Action Bases 
(KABs) have been recently introduced as a mech- 
anism that provides a semantically rich represen- 
tation of the information on the domain of inter- 
est in terms of a DL KB and a set of actions to 
change such information over time, possibly intro- 
ducing new objects. In this setting, decidability 
of verification of sophisticated temporal properties 
over KABs, expressed in a variant of first-order /i- 
calculus, has been shown. However, the established 
framework treats inconsistency in a simplistic way, 
by rejecting inconsistent states produced through 
action execution. We address this problem by show- 
ing how inconsistency handling based on the notion 
of repairs can be integrated into KABs, resorting 
to inconsistency-tolerant semantics. In this setting, 
we establish decidability and complexity of verifi- 
cation. 



1 Introduction 

Recent work in knowledge representation and databases has 
addressed the problem of dealing with the combination of 
knowledge, processes and data in the design of complex 
enterprise systems (Deutsch ef a/., 2009[ |Vianu, 2009 



Bagheri Hariri et al., 2012[ [Calvanese etal., 2012 

Limonad et al.,20l2\ . The verification of temporal proper- 
ties in this setting represents a significant research challenge, 
since data and knowledge makes the system infinite-state, 
and neither finite-state model checking I jClarke ef a/., 1999) 
nor most of the current techniques for infinite-state model 
checking | |Burkart et al, 2001 J apply to this case. 

Along this line. Knowledge and Action Bases (KABs) 
[ [Bagheri Hariri et al., 201 21 have have been recently intro- 
duced as a mechanism that provides a semantically rich rep- 
resentation of the information on the domain of interest in 
terms of a Description Logic (DL) KB and a set of actions to 
change such information over time, possibly introducing new 



objects. In this setting, decidability of verification of sophisti- 
cated temporal properties over KABs, expressed in a variant 
of first-order //-calculus, has been shown. 

However, KABs and the majority of approaches deal- 
ing with verification in this complex setting assume a 
rather simple treatment of inconsistency resulting as an ef- 
fect of action execution: inconsistent states are simply re- 
jected (see, e.g., iDeutsch 'eJa/., 2007[ [Deutsche? a /., 2009 [ 



Bagheri Hariri et al., 2013)). In general, this is not satisfac- 



tory, since the inconsistency may affect just a small portion 
of the entire KB, and should be treated in a more careful way. 
Starting from this observation, in this work we leverage on 
the research on instance-level evolution of knowledge bases 
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[[Winslett, 19 90; Liter and Gottlo b, 1992;' Flouris e?a/., 2008t 
[Calvanese et al., 2010[ , and, in particular, on the notion of 
knowledge base repair [ [Lembo et al., 2010) , in order to make 
KABs inconsistency-aware. In particular, we present a novel 
setting that extends KABs by assuming the availability of a 
repair service that is able to compute, from an inconsistent 
knowledge base resulting from the execution of an action, 
one or more repairs, in which the inconsistency has been re- 
moved with a "minimal" modification to the existing knowl- 
edge. This allows us to incorporate, in the temporal verifi- 
cation formalism, the possibility of quantifying over repairs. 
Notably, our novel setting is able to deal with both determin- 
istic semantics for repair, in which a single repair is computed 
from an inconsistent knowledge base, and non-deterministic 
ones, by simultaneously taking into account all possible re- 
pairs. We show how the techniques developed for KABs 
extend to this inconsistency-aware setting, preserving both 
decidability and complexity results, under the same assump- 
tions required in KABs for decidability. 

We also show how our setting is able to accommodate meta- 
level information about the sources of inconsistency at the 
intentional level, so as to allow them to be queried when veri- 
fying temporal properties of the system. The decidability and 
complexity results for verification carry over to this extended 
setting as well. 

The proofs of all presented theorems are contained in the 
appendix. 



2 Preliminaries 

2.1 DL-Lite^ Knowledge Bases 

expressing knowledge 



For 



bases. 



we 



_^^ use DL-Lite^ 

| Poggiefa/.,2008[ [Calvanese ef a/., 2009[ . The syntax 



ot concept and role expressions in DL-Litey\ is as follows 

B — ^ N \ 3R R — y P \ P- 

where N denotes a concept name, P a role name, and P^ 
an inverse role. A DL-Lite^^ knowledge base (KB) is a pair 
(T, A), where: (i) A is an Abox, i.e., a finite set of ABox 
membership assertions of the form N{ti) \ P{ti,t2), where 
ti, t2 denote individuals (ii) T is a TBox, i.e., T = Tp W T„ U 
Tf, with Tp a finite set of positive inclusion assertions of the 
form Bi C i?2i T„ a finite set of negative inclusion assertions 
of the form Bi C -ii?2, and Tf a finite set of functionality 
assertions of the form (funct i?). 

We adopt the standard FOL semantics of DLs based on 
FOL interpretations I = (A^, ■'^) such that c^ G A^, 
jyi C A^, and P^ C A^ x A^. The semantics of the 
construct, of TBox and ABox assertions, and the notions of 
satisfaction and of model are as usual. We also say that A is 
T-consistent if (T, A) is satisfiable, i.e., admits at least one 
model, otherwise we say A is T -inconsistent. 

Queries. As usual (cf. OWL 2 QL), answers to queries are 
formed by terms denoting individuals explicitly mentioned in 
the ABox. The domain of an ABox A, denoted by ADOM(A), 
is the (finite) set of terms appearing in A. A union of con- 
junctive queries (UCQ) q over a KB (T, A) is a FOL for- 
mula of the form Vkkm ^yi-'^'^''^Ji{^j Vi) with free variables 
X and existentially quantified variables j/i,...,y„. Each 
conJi{x, yl) in g is a conjunction of atoms of the form N{z), 
P{z, z'), where N and P respectively denote a concept and a 
role name occurring in T, and z, z' are constants in ADOm(A) 
or variables in af or y^, for some i G {1, . . . , n). The (certain) 
answers to q over (T, A) is the set ans{q, T, A) of substitu- 
tions a of the free variables of q with constants in ADOM(yl) 
such that q(T evaluates to true in every model of (T, A). If q 
has no free variables, then it is called boolean and its certain 
answers are either true or false. 

We compose UCQs using ECQs, i.e., queries of the query 
language EQL-Lite(\JCQ) | |Calvanese et al., 2007a| , which is 
the FOL query language whose atoms are UCQs evaluated 
according to the certain answer semantics above. An ECQ 
over T and A is a possibly open formula of the form 

Q ■■= [q] I -Q I Ql^Q2 I 3x.Q 

where q is a UCQ. The answer to Q over (T, A), is the set 
ANS{Q,T,A) of tuples of constants in ADOM(A) defined 
by composing the certain answers ans{q,T,A) of UCQs 
q through first-order constructs, and interpreting existential 
variables as ranging over ADOM(A). 

Finally, we recall that DL-Litej( enjoys the FO 
rewritability property, which states that for every UCQ 
q, ans{q,T,A) = ans{rew{q),0, A), where rew{q) 
is a UCQ computed by the reformulation algorithm in 
yCalvanese et at., 2009|. Notice that this algorithm can be ex- 
tended to ECQs | |Calvanese et al, 2007a| , and that its effect 
is to "compile away" the TBox. 



2.2 Knowledge and Action Bases 

We recall the notion of Knowledge and Action Bases (KABs), 
as introduced in iBagheri Hariri et al., 2012| . In the follow- 
ing, we make use of a countably infinite set C of constant to 
denote all possible value in the system. Moreover, we also 
make use of a finite set J' of functions that represent service 
calls, and can be used to inject fresh values into the system. 

A KAB is a tuple /C = (T,Ao,r,n) where T and Aq 
form the knowledge base (KB), and F and II form the action 
base. Intuitively, the KB maintains the information of inter- 
est. It is formed by a fixed DL-Litej( TBox T and an initial T- 
consistent DL-Lite_4 ABox Ao. Ao represents the initial state 
of the system and, differently from T, it evolves and incorpo- 
rates new information from the external world by executing 
actions F, according to the sequencing established by process 
n. F is a finite set actions. An action 7 e F modifies the 
current ABox A by adding or deleting assertions, thus gener- 
ating a new ABox A'. 7 is constituted by a signature and an 
effect specification. The action signature is constituted by a 
name and a list of individual input parameters. Such parame- 
ters need to be instantiated with individuals for the execution 
of the action. Given a substitution 9 for the input parameters, 
we denote by 7^ the instantiated action with the actual param- 
eters coming from 9. The effect specification consists of a set 
{ei, . . . , e„} of effects, which take place simultaneously. An 
effect Ei has the form [g^] A QJ -^ A'^, where: (i) q'l is an 
UCQ, and Q^ is an arbitrary ECQ whose free variables oc- 
cur all among the free variables of qf; (ii) A[ is a set of facts 
(over the alphabet of T) which include as terms: individuals 
in Ao, free variables of qf , and Skolem terms f[x) having as 
arguments free variables xofqf. The distinction between qf 
and Q^ is needed for technical reasons (see Appendix|E}. 

The process II is a finite set of condition/action rules. A 
condition/action rule tt G II is an expression of the form 
Q M> 7, where 7 is an action in F and Q is an ECQ over 
T, whose free variables are exactly the parameters of 7. The 
rule expresses that, for each tuple a for which condition Q 
holds, the action 7 with actual parameters a can be executed. 

Example 2.1. /C — (T, Ao,r,n) is a KAB defined as follows: 
(i) T = {C iZ -.D}, (ii) Ao = {C{a)}, (Hi) F = {71,72} with 
7i() : {C{x) - D(x),C{x)}and'y2{p) : {C{p) - G(/(p))}, 
(iv) n = {true i-> 71, C(y) M' 72 (y)}. D 

3 Verification of Standard KABs 

We are interested in verifying temporaFdynamic properties 
over KABs. To this aim, we fix a countably infinite set 
C of individual constants (also called values), which act 
as standard names, and finite set of distinguished constants 
Co C C. Then, we define the execution semantics of a 
KAB in terms of a possibly infinite-state transition system. 
More specifically, we consider transition systems of the form 
(C, T, S, So, abox, ^), where: (/) T is a TBox; (//) E is a set 
of states; (///) so G S is the initial state; (iv) abox is a func- 
tion that, given a state s G S, returns an ABox associated to 
s, which has as individuals values of C and conforms to T; 
fv) ^ C E X E is a transition relation between pairs of states. 
The standard execution semantics for a KAB /C — 
(T, Ao, F, n) is obtained starting from Aq by nondeterministi- 



cally applying every executable action with corresponding le- 
gal parameters, and considering each possible value returned 
by applying the involved service calls. Notice that this is rad- 
ically different from IBagheri Hariri et al, 2012], where ser- 
vice calls are not evaluated when constructing the transition 
system. The executability of an action with fixed parameters 
does not only depend on the process 11, but also on the T- 
consistency of the ABox produced by the application of the 
action: if the resulting ABox is T-inconsistent, the action is 
considered as non executable with the chosen parameters. 

We consider deterministic services, i.e., services that re- 
turn always the same value when called with the same in- 
put parameters. Nondeterministic services can be seamlessly 
added without affecting our technical results. To ensure that 
services behave deterministically, we recast the approach in 
I Bagheri Hariri et al., 2013) to the semantic setting of KABs, 
keeping track, in the states of the transition system gener- 
ated by /C, of all the service call results accumulated so 
far. To do so, we introduce the set of (Skolem terms rep- 
resenting) service calls as SC = {/(wi, . . . ,?;„) | f/n G 
J- and {vi, . . . , u„} C C}, and define a service call map as a 
partial function m : SC — ?> C. 

A state of the transition system generated by /C is a pair 
{A, m), where A is an ABox and m is a service call map. Let 
j{pi, ■ ■ ■ ,Pr) '■ {ei, . . . , efc} be an action in F with parame- 
ters pi, . ■ . ,Pr, and Bi = [q^] A Q~ ~^ Ei. Let cr be a substi- 
tution for pi, . . . ,pr with values taken from C. We say that <t 
is legal for 7 in state {A, m) if there exists a condition-action 
rule Q t-!> 7 in n such that (pi, . . . ,Pr)<y e ANS(Q, A). We 
denote with DO(T, A, 70-) the set of facts obtained by evalu- 
ating the effects of action 7 with parameters a on ABox A, so 
as to progress (cf. planning I jGhallab et al, 2004) ) the system 
from the current state to the next: 



DO{T,A,ja) 



u 



u 



Eicrp 



[<it]'^Ql-^E:, m7 p£Am{([qf]f\Qr)a,T,A) 



The returned set is the union of the results of applying the ef- 
fects specifications in 7, where the result of each effect spec- 
ification [qf] A Q~ ~^ Ei is, in turn, the set of facts Eiap 
obtained from Eia grounded on all the assignments p that 
satisfy the query [g^] A Qj over A. 

Note that DO() generates facts that use values from the do- 
main C, but also Skolem terms, which model service calls. 
For any such set of facts E, we denote with CALLS (£^) the set 
of calls it contains, and with EVALS (T, A, 7ct) the set of sub- 
stitutions that replace all service calls in Do(T, A, 70-) with 
values in C: 

EVALS (T, A, 7cr) = {9\ is a total function 

e : CALLS(DO(r, A, 7ct)) -> C}. 

Each substitution in EVALS (T, A, 7ct) models the simultane- 
ous evaluation of all service calls, returning results arbitrarily 
chosen from C. 



Example 3.1. Consider our running example (Example \2.1\ . 
Starting from Ao, the execution of 71 would produce A = 
{D{a), C{a)}, which is T -inconsistent. Thus, the execution 0/71 in 
Ao should either be rejected or its effect should be repaired (cf. Sec- 
tion |3. The execution of 72 with legal parameter a instead pro- 
duces A" = {G(c)} when the service call f{a) returns c. A" is 
T -consistent, and 72 (a) is therefore executable in Aq. D 



Given a KAB /C = (T,Ao,F,n), we employ DO() and 
EVALS to define a transition relation EXEC/c connecting 
two states through the application of an action with param- 
eter assignment. In particular, given an action with parameter 
assignment 70-, we have {{A,m),^a, {A' ,m')) e EXECy^ if 
the following holds: (i) cr is a legal parameter assignment 
for 7 in state (A, m), according to 11; (ii) there exists 6 S 
EVALS (T, A, 70-) such that and m agree on the common 
values in their domains (so as to realize the deterministic ser- 
vice semantics); (Hi) A' = DO(r, A, ja)9; (iv) m' ^ mU 
(i.e., the history of issued service calls is updated). 

Standard transition system. The standard transition system 
T| for KAB /C = (T, Aq, F, H) is a (possibly infinite-state) 
transition system {C,T,Y,,so, abox,^) where: (i) sq = 
(Ao,0); (ii) abox{{A,rn)) — A; (Hi) E and => are defined 
by simultaneous induction as the smallest sets satisfying the 
following properties: (/) sq G S; (//) if {A, to) G S , then 
for all actions 7 in F, for all substitutions a for the param- 
eters of 7 and for all {A',m') such that A' is T -consistent 
and {{A, to), 70-, {A' ,m')) G execac, we have {A' , to') g S 
and [a, ni) => {A', to'). We call S-KAB a KAB interpreted 
under the standard execution semantics. 



Example 3.2. Consider K of Examvle 12. i I arui its standard transi- 
tion system T f^. As discussed in Example \3.1\ in state sq = (^0, 0) 
only 72 is applicable with parameter a. Since DO(r, Aq, 72(a)) — 
{G?(/(a))}, T^ contains infinitely many successors for so, each of 
the form ({G(i)}, {/(a) 1— > a;}), where x is arbitrarily substituted 
with a specific value picked from C. D 

Verification Formalism. To specify sophisticated tem- 
poral properties over KABs, we resort to the first-order 
variant of /x-calculus I Stirling, 2001 [Park, 197 61 defined in 
I Bagheri Hariri et al., 2012) . This variant, here called fJ-Cj^ , 
exploits EQL to query the states, and supports a particular 
form of first-order quantification across states: quantification 
ranges over the individuals explicitly present in the current 
active domain, and can be arbitrarily referred to in later states 
of the systems. Formally, pCj^ is defined as follows: 

$ := Q I -$ I $1 A $2 I 3a;.$ | (-)$ | Z \ pZ.^ 

where Q is a possibly open EQL query that can make use 
of the distinguished constants in Co, and Z is a second order 
predicate variable (of arity 0). We make use of the following 
abbreviations: Va;.$ == -i(Ela;.-i<J)), <J)iV$2 = -'(-i<i>iA-i$2), 
H'l' = -'(-)-''S, and vZ.<^ = ^pZ.^<^[Z/^Z]. 
The semantics of pC^ formulae is defined over transition 

systems (C, T, E, sq, ahox, =^). Since pC^ contains formu- 
lae with both individual and predicate free variables, given a 
transition system T, we introduce an individual variable valu- 
ation V, i.e., a mapping from individual variables x to C, and a 
predicate variable valuation V, i.e., a mapping from the pred- 
icate variables Z to a subset of E. All the language primitives 
follow the standard /i-calculus semantics, apart from the two 
listed below |Bagheri Hariri et al., 2012): 



{Q)ly = {,s G E 

{3x.<^)ly = {,s G E 



ANS{Qv,T, abox{s)) ~ true} 
3d.d G ADOM{abox{s)) 
and s G (<J')J[,/,],v} 



Here, Qv stands for the query obtained from Q by substitut- 
ing its free variables according to v. When $ is a closed for- 
mula, ($)^ y does not depend on v or V, and we denote the 

extension of <1> simply by ($)^ . A closed formula <1> holds in 
a state s G Sifs e ($)^- We call model checking verifying 
whether sq G ($)^, and we write in this case T ^ <1>. 
Decidability of verification. We are interested in 

studying the verification of i^jC^ properties over S- 
KABs. We can easily recast the undecidability result in 



[Bagheri Hariri et ai, 20121 to the case of S-KABs, obtaining 
that verification is undecidable even for the very simple tem- 
poral reachability property /iZ.(N(a) V {~)Z), with N atomic 
concept and a G C. 

Despite this undecidability result, we can isolate an in- 
teresting class of KABs that enjoys verifiability of arbitrary 
fJ,Cj^ properties through finite-state abstraction. This class 
is based on a semantic restriction named run-boundedness 



every run t in T|- is 



I Bagheri Hariri et ai, 2013[ . Given an S-KAB /C, a run r = 
sqSi • ■ • of T^ is bounded if there exists a finite bound b 

^■^- lUsstateofr ^^'^^('^^°^('^))| < ^- ^^ ^^Y ^^' ^ ^^ ''""' 

bounded if there exists a bound b s.t 
bounded by b. 

Theorem 3.3. Verification of fJ-C^ properties over run- 
bounded S-KABs is decidable, and can be reduced to finite- 
state model checking of propositional fi-calculus. 

The crux of the proof is to show, given a run-bounded S- 
KAB K,, how to construct an abstract transition system 0|- 
that satisfies exactly the same fJ-C^ properties as the origi- 
nal transition system T|-. This is done by introducing a suit- 
able bisimulation relation, and defining a construction of 0^ 
based on iteratively "pruning" those branches of T^ that can- 
not be distinguished by fJ-Cj^ properties. 

In fact, 6|- is of size exponential in the size of the initial 
state of the S-KAB K, and the bound b. Hence, considering 
the complexity of model checking of /i-calculus on finite- 
state transition systems |Clarke ef a/., 1999| Stirling, 2001| , 
we obtain that verification is in ExpTlME. 



4 Repair Semantics for KABs 

S-KABs are defined by taking a radical approach in the 
management of inconsistency: simply reject actions that 
lead to T-inconsistent ABoxes. However, an inconsistency 
could be caused by a small portion of the ABox, making 
it desirable to handle the inconsistency by allowing the ac- 
tion execution, and taking care of repairing the resulting 
state so as to restore consistency while minimizing the in- 
formation loss. To this aim, we revise the standard seman- 
tics for KABs so as to manage inconsistency, relying on 
the research on instance-level evolution of knowledge bases 
yWinslett, 199Q;Eit er and Gottlob, 1992[|Flouris et al., 2008[ 
[Calvanese ef g/., 2010|, and, in particular, on the notion of 
ABox repair, cf. l |Bertossi, 2006[|Lembo et al, 2010| . 

In particular, we assume that in this case the system is 
equipped with a repair service that is executed every time 
an action changes the content of the ABox. In this light, a 
progression step of the KAB is constituted by two sub-steps: 



an action step, where an executable action with parameters 
is chosen and applied over the current ABox, followed by a 
repair step, where the repair service checks whether the re- 
sulting state is T-consistent or not, and, in the negative case, 
fixes the content of the ABox resulting from the action step, 
by applying its repair strategy. 

Repairing ABoxes. We illustrate our approach by consider- 
ing two specific forms of repair that have been proposed in 
the literature ]Eiter and Go ttlob, 19 92) and are ap plicable to 
the context of DL ontologies iL embo et al, 2010) . 

• Given an ABox A and a TBox T, a bold-repair (b- 
repair) of A with T is a maximal T-consistent subset 
A' of A. Clearly, there might be more than one bold- 
repair for given A and T. By REP(yl, T) we denote the 
set of all b-repairs of A with T. 

• A certain-repair (c-repair) of A with T is the ABox de- 
fined as follows: A' = nA"eREp{A,T)^"- That is, a c- 
repair of A with T contains only those ABox statements 
that occur in every b-repair of A with T. 

In general, there are (exponentially) many b-repairs of an 
ABox A with T, while by definition there is a single c-repair. 

Example 4.1. Continuing Example \3.1\ consider the T- 
inconsistent state {A , 0) obtained from 71 () in Aq. Its two b-repairs 
are REP(A',r) = {^1,^2} with A^ = {C{a)}, A2 = {D{a)}. 



Its c-repair is f~l^ 



eREP(A',T) 



A = {C{a)} n {D{a)} = 0. 



D 



4.1 Bold and Certain Repair Transition Systems 

We now refine the execution semantics of KABs by construct- 
ing a two-layered transition system that reflects the alterna- 
tion between the action and the repair steps. In particular, 
we consider the two cases for which the repair strategy ei- 
ther follows the bold or certain semantics. We observe that, 
if b-repair semantics is applied, then the repair service has, 
in general, several possibilities to fix an inconsistent ABox. 
Since, a-priori, no information about the repair service can be 
assumed beside the repair strategy itself, the transition system 
capturing this execution semantics must consider the progres- 
sion of the system for any computable repair, modelling the 
repair step as the result of a non-deterministic choice taken 
by the repair service when deciding which among the possi- 
ble repairs will be the actually enforced one. This issue does 
not occur with c-repair semantics, because its repair strategy 
is deterministic. 

In order to distinguish whether a state is obtained from 
an action or repair step, we introduce a special marker 
State(iemp), which is an ABox statement with a fresh 
concept name State and a fresh constant temp, s.t.: if 
State (temp) is in the current state, this means that the state 
has been produced by an action step, otherwise by the repair 
step. 

Formally, the b-transition system T^ (resp. c-transition 
system T^) for a KAB K. = (r,Ao,r,n) is a (possibly 
infinite-state) transition system (C, T, E, sq, abox, =>) where: 

(1) so = (Ao,0); 

(2) E and ^ are defined by simultaneous induction as the 
smallest sets satisfying the following properties: 

(i) So G S; 

(ii) (action step) if {A,m) G E and State{temp) ^ A, 
then for all actions 7 in F, for all substitutions 



G for the parameters of 7 and for all (A',m') 
s.t. ((A,r7i),7cr, (A',m')) S EXEC/c, let A" = 
A! U {State(te77ip)}, and then (A",m') G S and 
(A,m)^ (A",m'); 
(iii) {repair step) if {A,m) G S and State(iemp) e 
^, then for b-repair A' (resp. c-repair A') of A — 
{State(iemp)} with T, we have {A\m) G S and 
{A,m) ^ {A',m). 

We refer to KABs with b-transition (resp. c-transition) system 

semantics as b-KAB (resp. c-KAB). 

Example 4.2. Under b-repair semantics, tlie KAB in our run- 
ning example looks as follows. Since A is T -inconsistent, we have 
two bold repairs, Ai and A2, which in turn give rise to two runs: 

{Ao,0) ^ {K,jti) ^ (Ai,0) and{Ao,^) => (A;,0> => (^2,0). 
where A^ ~ {A U {State(temp)}. Since instead 71 does not lead 
to any inconsistency, for every candidate successor A — {G{x)} 
with m — {(/(a) 1— >■ x)} (see Exami>le \3.2i . we have {Ao,%) => 
{A" U {State(femp)}, m) ^ {A" , m), reflecting that in this case 
the repair serx'ice just maintains the resulting ABox unaltered. D 

4.2 Verification Under Repair Semantics 

We observe that the alternation between an action and a re- 
pair step makes EQL queries meaningless for the intermedi- 
ate states produced as a result of action steps, because the re- 
sulting ABox could be in fact T-inconsistent (see, e.g., state 
(yl^, 0) in Example |4.2t . In fact, such intermediate states are 
needed just to capture the dynamic structure that reflects the 
behaviour of the system. E.g., state (AJ,, 0) in Example 14.21 
has two successor states, attesting that the repair service with 
bold semantics will produce one between two possible re- 
pairs. 

In this light, we introduce the inconsistency-tolerant tem- 
poral logic liC^J^, which is a fragment of liC^ defined as: 
$ := Q I -$ I $iA$2 I 3a;. $ | (-)[-]* I HH* I Z \ ^Z.^ 

Beside the standard abbreviations introduced for jJiC^ , we 
also make use of the following: (—)(—)$ = -i[— ][— ]-i$, 
and [—](—)$ = -■(— )[—]-!$. This logic can be used to ex- 
press interesting properties over b- and c-KABs, exploiting 
different combinations of the (— ) and [— | next-state opera- 
tors so as to quantify over the possible action steps and 
corresponding repair steps, ensuring at the same time that 
only the T-consistent states produced by the repair steps are 
queried. For example, ^Z.{^ V {—){—)Z) models the "opti- 
mistic" reachability of $, stating that there exists a sequence 
of action and repair steps, s.t. $ eventually holds. Con- 
versely, /iZ.($ V f-)[— |Z) models the "robust" reachability 
of $, stating the existence of a sequence of action steps lead- 
ing to $ independently from the behaviour of the repair ser- 
vice. This patterns can be nested into more complex prop- 
erties that express requirements about the acceptable progres- 
sions of the system, taking into account data and repairs. E.g., 
vZ.{'ix.Stud{x) -^ Aiy.(Grad(a;)V(-}[-]F))AHH^ states 
that, for every student x encountered in any state of the sys- 
tem, it is possible to "robustly" reach a state where x becomes 
graduated. 

Since for a given ABox there exist finitely many b-repairs, 
and one c-repair, the technique used to prove decidability of 
properties for run-bounded S-KABs can be extended to deal 
with b- and c-KABs as well. 



Theorem 4.3. Verification of i^C^J properties over run- 
bounded b-KABs and c-KABs is decidable. 

The precise relationship between b-KABs and c-KABs re- 
mains to be investigated. 

5 Extended Repair Semantic for KABs 

B-KABs and c-KABs provide an inconsistency-handling se- 
mantics to KABs. However, despite dealing with possible re- 
pairs when some action step produces a T-inconsistent ABox, 
they do not explicitly track whether a repair has been actu- 
ally enforced, nor do they provide finer-grained insights about 
which TBox assertions were involved in the inconsistency. 
We extend the repair execution semantics of so as to equip 
the transition system with this additional information. 

While DL-Litej^ does not allow, in general, to uniquely ex- 
tract from a T-inconsistent ABox a set of individuals that are 
responsible for the inconsistency I Calvanese et ai, 2007b| , 
its separability property (Calvanese et ai, 2007b| guarantees 
that inconsistency arises because a single negative TBox as- 
sertion is violated. More specifically, a T-inconsistency in- 
volves the violation of either a functionality assertion or neg- 
ative inclusion in T. Since DL-Litej^ obeys to the restriction 
that no functional role can be specialized, the first case can 
be detected by just considering the ABox and the function- 
ality assertion alone. Contrariwise, the second requires also 
to take into account the positive inclusion assertions (since 
disjointness propagates downward to the subclasses). Thanks 
to the FO rewritability of ontology satisfiability in DL-Litej^ 
flCalvanese et ai, 2007b[ , check can be done by constructing 
a POL boolean query that corresponds to the considered func- 
tional or negative inclusion assertion, and that can be directly 
evaluated over the ABox, considered as a database of facts. 

Following | |Calvanese et ai, 2007b[ , given a func- 
tionality assertion (funct R), we construct the query 

9unsat((funct R)) = 3x, Xi, X2.ri{R, X, Xi) A ri{R,x,X2) A 
Xi / X2, where i]{R,x,y) — P{x,y) if R = P, 
and r]{R,x,y) = P{y,x) if R ~ P~ . Given a 
negative concept inclusion Bi C -nB2 and a set 
of positive inclusions Tp, we construct the query 
llsABi E -S2,Tp) - rew{Tp,3x.^{B,,x)A-fiB2,x)), 
where -/{B,x) = N{x) if B ^ N, -/{B,x) = P{x,.) 
if B ^ 3P, and 7(5, x) = P{-,x) if B = 3P-. 
Similarly, given a negative role inclusion Ri C -ii?2, 
we consti'uct the query <7^nsat(^i E ~^R2,Tp) = 
rew{Tp, 3xi,X2.ri{Ri,xi,X2) A r]{R2,xi,X2)). 

5.1 Extended Repair Transition System 

With this machinery at hand, given a KB (T, A) we can now 
compute the set of TBox assertions in T that are actually vi- 
olated by A. To do so, we assume wlog that Cq contains one 
distinguished constant per TBox assertion in T, and introduce 
a function LABEL, that, given a TBox assertion, returns the 
corresponding constant. We then define the set VlOL(yl,T) 
of constants labeling TBox assertions in T violated by A, as: 

{d e A \ 3t e Tf s.t. d = LABEL(t) and A |= ql„sRtit)} U 
{d e A I 3t G T„ s.t. d = LABEL(i) and A ^ Csat(^: Tp)} 



Example 5.1. Consider JC in Example \2.1\ with T — {C Q 
^D}, and A' = {D{a), C{a)} in Example \3.1\ Assume that 
LABEL(C C ^D) = L We have = Csat(C C ^D, 0) = 
^x.C{x) A D{x). Since A! ^ 0, we get viol(A', T) = {i). 

We now employ this information assuming that the re- 
pair service decorates the states it produces with information 
about which TBox functional and negative inclusion asser- 
tions have been involved in the repair This is done with a 
fresh concept Viol that keeps track of the labels of violated 
TBox assertions. 

Formally, we define the eh-transition system T^ (resp. ec- 
transition system T|?) for KAB JC = (T, Aq, F, Fl) as a (pos- 
sibly infinite-state) transition system (C,T, S, sq, a6oa;, =>) 
constructed starting from T^ (resp. T^) by refining the re- 
pair step as follows: if {A,m) £ E and State(temp) G A, 
then for b-repair A' (resp. c-repair A') of A— {State{temp)} 
with T, we have {A'^, m) e S and {A, m) => {A'^,m), where 
a; = A' U {Viol(d) I d e VlOL(A',r)}. 

5.2 Verification Under Extended Repair Semantics 

Thanks to the insertion of information about violated TBox 
assertions in their transition systems, eb-KABs and ec-KABs 
support the verification of /i/^^ properties that mix dynamic 
requirements with queries over the instance-level information 
and over the meta-level information related to inconsistency. 
Notice that such properties can indirectly refer to specific 
TBox assertions, thanks to the fact that their labels belong to 
the set of distinguished constants Co. Examples of formulae 
focused on the presence of violations in the system are: 

• uZ.{-^3l.\l\o\{l)) A [-][-]Z says that no state of the sys- 
tem is manipulated by the repair service; 

• i/Z.(V/.Viol(0 -^ {nY.iyW.^V\o\{l) A HH^" V 
(— )[— |y) A HH^ says that, in all states, whenever a 
TBox assertion a is violated, independently from the ap- 
plied repairs there exists a run that reaches a state start- 
ing from which a will never be violated anymore. 

Since the TBox assertions are finitely many and fixed for a 
given KAB, the key decidability result of Theorem l4.3l can be 
seamlessly carried over to these extended repair semantics. 

Theorem 5.2. Verification of /i-C^ properties over run- 
bounded eb-KABs and ec-KABs is decidable. 

5.3 From Standard to Extended Repair KABs 

It is clear that extended repair KABs are richer than repair 
KABs. We now show that eb- and ec-KABs are also richer 
than S-KABs, thanks to the fact that information about the 
violated TBox assertions is explicitly tracked in all states re- 
sulting from a repair step. In particular, verification of A*/!^ 
properties over a KAB K. under standard semantics can be 
recast as a corresponding verification problem over K. inter- 
preted either under extended bold or extended certain repair 
semantics. The intuition behind the reduction is that a prop- 
erty holds over T^ if that property holds in the portion of the 
T^^ (or T^^) where no TBox assertion is violated. The ab- 
sence of violation can be checked over T-consistent states 
by issuing the EQL query -i3x.[Viol(a;)]. Technically, we 
define a translation function t that transforms an arbitrary 
^.C^A^ property $ into a ^C^l property $' = t($). The 



translation r($) is inductively defined by recurring over the 
structure of $ and substituting each occurrence of (— )^ with 
(-}(-) ((-i3a;.Viol(x)) A t(*)), and each occurrence of HvP 
with [-](-)((-i3x.Viol(a;)) -^ !'(*)). Observe that, in r, the 
choice of (— ) for the nested operator can be substituted by [— ], 
because for T-consistent states produced by an action step, 
the repair step simply copy the resulting state, generating a 
unique successor even in the eb-semantics. 

Theorem 5.3. Given a KAB JC and a jJiC^ property <1>, 

The correctness of this result can be directly obtained by 
considering the semantics of /i£^ and ^C^\, and the con- 
struction of the transition systems under the three semantics. 

6 Weakly Acyclic KABs 

So far, all the decidability results here presented have re- 
lied on the assumption that the considered KAB is state- 
bounded. As pointed out in iBagheri Hariri e/ a/., 20131, 
run boundedness is a semantic condition that is undecid- 
able to check. In I Bagheri Hariri ef a/., 20131, a sufficient. 



syntactic condition borrowed from wealc acyclicity in data 
exchange iF aginef aZ., 2005| has been proposed to actually 
check whether the KAB under study is run bounded and, in 
turn, verifiable. 

Intuitively, given a KAB JC, this test constructs a depen- 
dency graph tracking how the actions of JC transport values 
from one state to the next one. To track all the actual depen- 
dencies, every involved query is first rewritten considering 
the positive inclusion assertions of the TBox. Two types of 
dependencies are tracked: copy of values and use of values 
as parameters of a service call. JC is said to be weakly acyclic 
if there is no cyclic chain of dependencies of the second kind. 
The presence of such a cycle could produce an infinite chain 
of fresh values generation through service calls. 

The crux of the proof showing that weakly acyclicity en- 
sures run boundedness is based on the notion of positive dom- 
inant, which creates a simplified version of the KAB that, 
from the execution point of view, obeys to three key prop- 
erties. First, its execution consists of a single run that closely 
resembles the chase of a set of tuple-generating dependencies, 
which terminates under the assumption of weak acyclicity 
i Faginef gZ., 2005 j , guaranteeing that the positive dominant 
is indeed run-bounded. Second, it considers only the positive 
inclusion assertions of the TBox, therefore producing always 
the same behaviour independently from which execution se- 
mantics is chosen, among the ones discussed in this paper 
Third, for every run contained in each of the transition sys- 
tems generated under the standard, bold repair, certain rep air, 
and their extended versions, the values accumulated along the 
run are "bounded" by the ones contained in the unique run of 
the positive dominant. This makes it possible to directly carry 
run-boundedness from the positive dominant to the original 
KAB, independently from which execution semantics is con- 
sidered. 

Theorem 6.1. Given a weakly acyclic KAB JC, we have that 
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T'j^ are all run-bounded. 



Theorem 16.11 shows that weak acycHcity is an effec- 
tive method to check verifiabiHty of KABs under all 
inconsistency-aware semantics considered in this paper 

7 Conclusion 

We have approached the problem of inconsistency handling 
in Knowledge and Action Bases, by resorting to an approach 
based on ABox repairs. An orthogonal approach to the one 
taken is to maintain ABoxes that are inconsistent with the 
TBox as states of the transition system, and rely, both for 
the progression mechanism and for answering queries used in 
verification, on consistent query answering |Bertossi, 2006| 
|Lembo et aZ., 2010| . Notably, we are able to show that the 
decidability and complexity results established for the repair- 
based approaches carry over also to this setting. It remains 
open to investigate the relationship between these orthogonal 
approaches to dealing with inconsistency in KABs. 
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A Bisimulation and Invariance 

We start by introducing the notion of isomorphism between 
ABoxes. Two ABoxes Ai and A2 are isomorphic, written 
Ai = A2, if there exists a bijection h : Si -^ S2, with 
ADOM(yli) U Co C 5*1 and adom(A2) U Co C 6*2, which is 
the identity on Cq, and s.t.: 

1. for every concept assertion N{d) G Ai, N{h{d)) £ A2; 

2. for every role assertion P{di,d2) S Ai, 
N{h{di),h{d2))eA2- 

3. for every concept assertion A^((i) G A2, N{h ^{d)) G 
Ai; 

4. for every role assertion P{di,d2) G A2, 
N{h-\di),h-\d2))£Ai. 

We write Ai =h A2 to make h explicit. Furthermore, with 
a slight abuse of notation, we write A2 ~ h{Ai), and Ai = 
h^^{A2), when there exists a bijection h : Si ^^ S2, with 
adom(Ai)UCo C Si and adom(A2)UCo C S'2, s.t. ^1 =h 
A2. 

It is easy to see that isomorphism implies the following 
results. 

Lemma A.l. Consider two knowledge bases (T,Ai) and 
(T, A2), s.t. there exists a bijection h with A2 — h{Ai). For 
every EQL query q, we have {di, . . . , dn) £ ANS(g, T, Ai) 
iff{h{di), ..., h(dn)) G ANS(/l(<z), T, h{Ai)). 

Proof. Trivial, by recalling the notion of first-order rewritabil- 
ity of EQL queries, and the fact that first-order logic cannot 
distinguish between isomorphic structures. D 

We now recast the notion of history preserving bisimu- 
lation as defined in I Bagheri Hariri et al, 2013) in the con- 
text of KABs. Let Ti = (Ci,T, Ei, so, a&oa;i, =>i) and 
TTi = (C2, T, E2, so: abox2, ^2) be transition systems, with 
abox{sQ) C Co C Ci n C2. Let H be the set of partial bijec- 
tions between Ci and C2, which are the identity over Co. A 
history preserving bisimulation between Ti and T2 is a re- 
lation B C Yii X H X Y,2 such that (si, h, S2) G B implies 
that: 

L his a partial bijection between Ci and C2, s.t. h fixes Co 
and aboxi{si) =h, abox2{s2)'. 



Theorem A.2. Consider two transition systems Ti and T2 



2. for each 



if si =>i s\ then there is an s, with 



S2 =>2 s'2 and a bijection h' that extends /i, such that 



3. 






for each s,, if S2 =>2 s^ then there is an s\ with 



Si ^1 s'l and a bijection h' that extends h, such that 

(s'i,/i',s^)gS. 
A state si G Si is history preserving bisimilar to S2 G S2 
wrt a partial bijection h, written si «/i S2, if there exists a 
history preserving bisimulation B between Ti and T2 such 
that (si,/i, S2} G B. A state si G Si is history preserving 
bisimilar to S2 G S2, written si w S2, if there exists a partial 
bijection h and a history preserving bisimulation B between 
Ti and T2 such that (si,ft., S2) G ;B. A transition system 
Ti is history preserving bisimilar to T2, written Ti « T2, 
if there exists a partial bijection /lo and a history preserving 
bisimulation B between Ti and T2 such that (sqi, h^, S02} G 
B. 

The following fundamental results connects history pre- 
serving bisimulation and the logic ^JiC^ ; 



such that Ti « T2. For every pC^ closed formula $, 
have: Ti ^ $ if and only if T2 |= ^. 



we 



Proof. The proof follows from that of Theorem 3.1 in 



iBagheri Hariri ef a/., 20131, noticing that, by Lemma lA. II 
isomorphism indeed preserves certain answers. D 

B Standard KABs 

B.l Proof of Theorem |33] 

In principle, decidability can be obtained by taking advan- 
tage from first-order rewritability of DL-Lite_A, and translat- 
ing a KAB into a corresponding Data-Centric Dynamic Sys- 
tem I Bagheri Hariri et ai, 20131 . However, in order to make 



the proof adaptable to the inconsistency-aware semantics dis- 
cussed in the paper, we reconstruct the proof contained in 
I Bagheri Hariri et ai, 2013) over KABs. We first discuss the 
intuition behind the proof, and then focus on the technical 
development. 

Given a run-bounded S-KAB /C, the crux of the proof is 
to show how to construct an abstract transition system 8|- 
that satisfies exactly the same pCj^ properties of the origi- 
nal transition system T|-. To do so, a first observation is that 
the only source of infiniteness in T|- is the infinite branching 
arising when a service call is issued for the first time. In this 
case, given a state s ~ {A, m) in T|-, for every executable ac- 
tion with legal parameters aa, s contains an infinite number 
of successor states, each one corresponding to an assignment 
of all the newly introduced service calls to values in C, s.t. the 
resulting state does not violate any axiom of T. 

One can see these successors as variations of a finite set 
of structures, each one expressing an isomorphic type (called 
equality commitment) constructed over the set of facts E = 
DO(T, A, aa) and the map m, by fixing the set of equali- 
ties and inequalities between the service calls that must be 
issued, and the service calls and values contained in E, m and 
Co. Each structure can be concretized into a successor state 
by evaluating the service calls so as to satisfy the equalities 
and inequalities induced by the equality commitment (this 
also guarantees that the evaluation agrees with m). Two con- 
cretizations of the same structure are isomorphic, i.e., they 
contain the same ABox and service call map modulo renam- 
ing of the newly introduced values. 

We now observe that EQL-queries do not distinguish iso- 
morphic ABoxes. In particular, consider two ABoxes Ai and 
A2, and a bijection h that induces an isomorphism between 
Al and A2. Now consider an EQL query q s.t. the constants 
used in q appear in h, and let h{q) be the query obtained by 
replacing such constants through the application of h. It is 
easy to see that the certain answers of q over Ai are exactly 
the same of h{q) over A2, modulo renaming of the values 
via h. The key consequence of this property is that, given a 
state s of T|-, pC^ is not able to distinguish successors of 
s that concretize E by satisfying the same equality commit- 
ment. Therefore, all such successors can be collapsed into 
a unique representative successor, without affecting the satis- 
faction of a closed pC^ property $ asked in the initial state 
of the system. 



By inductively applying this pruning, we can construct a 
finite-state transition system 8|. Since the active domain 
of 6| is finite, by quantifier elimination we can then trans- 
form $ into a corresponding propositional /x-calculus prop- 
erty 0, and reduce verification of $ over T|- as standard 
model checking of 4> over 8|-, which is indeed decidable 
I IEmerson, 1997) . 

Equality commitments. Given a set 5 C SC U C containing 
individuals and service calls, an equality commitment over S 
is a partition H of S s.t. every cell of H contains at most 
one element d ^ C. Given an element e e S*, we use [e]H 
do denote the cell e belongs to. With a slight abuse of no- 
tation, we say that e G H if e ^ S. Now consider a KAB 
JC = {T, Aq, r, n), a state {A, m), and an action a £ F with 
parameters a, s.t. aa is legal in {A, m) according to 11. Let 
T-L{T, (A, m), aa) be the set of equality commitments Hi con- 
structed over adom(Co) U adom(A) U DOM(m) U iM(m) U 
ADOM(do(T, a, acr)) that agrees with m, i.e., for every as- 
signment (/ — !> d) in m, [f]Hi ~ [d\Hi- Intuitively, the 
elements of Ti, are equality commitments that fix the equiv- 
alence class to which every new service call, introduced by 
DO(r, A, aa), belongs to. 

We say that EVALS (T, A, aa) respects an equality commit- 
ment H e %{T, {A, m) , aa) if, for every pair of assignments 
(/i -J> di),{f2 -^ d2) in EVALS (T, A, acr), di = da iff /i 
and /2 belong to the same cell P of H, and di = d2 = d iff 
d belongs to P. 

Pruning. Given a KAB /C = (T, Aq, T, H), we refine the def- 
inition of EXEC^ SO as to create a parsimonious version that 
minimally covers, state-by-state, the various equality commit- 
ments. 

In particular, we define a transition relation P-EXECyc as 
follows. For every {{A, m),aa, {A' ,m')) e EXEC^;, fix = 
m! \m and H € H{T, {A, m),aa) s.t. 9 respects H. Then 
there exists only one 6p — EVALS (T, A, aa) s.t. 9p respects 
H and, given, Ap = D0{T,A,aa)6p and m' = m U 9p, 
{{A,m),aa,{Ap,mp)) e p-execa:. Intuitively, p-execk 
"prunes" EXECjc by collapsing into a unique representative 
tuple all transitions that are associated to a given starting state 
and action with parameters, and that respect the same equality 
commitment. 

Starting from P-EXECy^, we define a pruning 8|- of the 
transition system under standard semantics T|- as a transi- 
tion system constructed following the standard semantics, but 
by using P-EXEC/c in place of EXEC^: to inductively con- 
struct the set of states and transitions. In general, there ex- 
ist infinitely many prunings, whose difference relies in the 
particular choice for the representatives when constructing 
P-EXEC/c. However, we show that all such prunings are 
history-preserving bisimilar to the original transition system 
Qic- The following lemma is a key result in this direction, 
and intuitively shows that bisimulation does not distinguish 
different progressions that fix, step-by-step, the same equal- 
ity commitments. In the lemma, for the sake of readability, 
given a service call map m and a function h : C ^ C defined 
over all values contained in mi (considering both the service 
call parameters and their results), we write 7712 = f{mi) 
to denote the service call map constructed as follows: for 



every assignment (/(di, . . . ,d„) — > d) in mi, we have 
{f{h{di), ..., h{dn)) -^ h{d)) in ma. 

Lemma B.l. Let K, be a S-KAB with transition system T|-, 
and let 0|- be a pruning ofT^. Consider a state {A, m) of 
T|; and a state {Ap,mp) of Q^. If there exists a bijection 



h sJ. Ap = h{A) and \ 



h{m) (or, equivalently, m 



h {nip)), then {A,m) w^ {Ap,mp). 

Proof Let/C = (r,Ao,F,n), T|. = {C,T,Y.,so,ahox,=> 
), and 0|. = (C,T, Ep, So, a&oa;, =>p). To prove the 
lemma, we show that, for every state {A' , ra') s.t. {A, m) => 
{A' , m'), there exists a state {A' m!) and a bijection h' s.t.: 
1. {Ap,mp) ^p {A'p,m'p}; 2. h' extends h; 3. A'^ = h'{A'); 
4. m'p = h'{m'). By definition of T|., if {A, m) ^ {A', m'), 
then there exists an action a G F with parameters a s.t. a 
is legal in {A, m) according to 11, and 6 e EVALS (T, A, aa) 
s.t. 6 agrees with m. A' = DO(T, A, aa)9, and m' = m U 0. 
From this information, we can extract the equality commit- 
ment H e H{T, {A, m),aa) s.t. 9 respects H. 

Since Ap — h{A), from Lemma C\. 11 we know that the 
certain answers computed over A are the same, modulo re- 
naming through h, to those computed over Ap. Further- 
more, since a maps parameters of a to values in ADOM(yl), 
we can construct ap mapping parameters of a to values in 
ADOM{Ap), so as {x — > d) in a implies {x -^ h{d)) in 
ap. By hypothesis, we also know that rrip ~ h{m). As 
a consequence, we have that ap is legal in {Ap,mp) ac- 
cording to n, and that H{T, {Ap,mp),aap) contains the 
same equality commitments in 'H(r, {A,m),aa) up to re- 
naming of individuals through h. Now pick commitment 
Hp G H(r, {Ap, nip), aap) so that Hp corresponds to H up 
to renaming of individuals through h. 

By definition of pruning, we know that there exists a 
unique 9p that respects Hp (and, in turn, agrees with rUp) 
s.t., given A'^ — D0{T,Ap,aap)9p and m^ = rUp U 9p, 
we have {Ap,mp) =>p {A'tti'). Since Hp corresponds to 
H up to renaming of individuals through h, 9 respects H, 
and 9p respects Hp, we can lift h to an extended bijection h' 
s.t. 9p = h{9). By construction, this means that A' = h'{A'), 
and that m' = h'{m'), hence the claim is proven. 

The other direction can be proven in the symmetric way. D 

Lemma B.2. For every S-KAB K. with transition system T|- 
and every pruning 8|- o/T^, we have 8|- w T^. 

Proof Immediate consequence of Lemma IB. II by noticing 
that the initial states of T|- and 0|- are the same, and can 
be therefore connected through the identity bijection between 
their active domains. D 

Proof of Theorem 13.31 Given a mn-bounded KAB /C, we 
observe that each pruning Q^ of T|- is finite-state. On the 
one hand, thanks to run-boundedness each run consists of 
a finite number of states. On the other hand, thanks to the 
definition of pruning, each state has only finitely many suc- 
cessors. In fact, given a state of 8|-, there are only finitely 
many equality commitments that can be created by consid- 
ering all possible actions with parameters. This implies that 
the entire active domain AD0m(8|-) of 8^ is finite as well. 



By Lemma IB. 21 and Theorem IA.2I we know that 8|- is a 
faithful abstraction of T|-, i.e., for every i^C^ formula $, 
T|^ ^ $ iff 6|; 1= $. Taking advantage from the finite- 
ness of ADOM(0|-), by quantifier elimination we can con- 
struct a propositional /i-calculus property s.t. 0|- ^ <1> iff 
8|- 1= (p. The proof completes by observing that verifying 
whether 8|- |= cj) amounts to standard model checking of 
propositional /i-calculus over finite-state transition systems, 
which is indeed decidable [Emerson, 1997[ . 

C KABs Under Repair Semantics 

We open this section by observing that the repair service does 
not distinguish between isomorphic ABoxes. 

Lemma C.l. Consider two knowledge bases (T,Ai) and 
(T, A2), s.t. there exists a bijection h with A2 — h{Ai). Then 
for every ABox A\ s.t. A\ E REP{Ai,T), we have hiA^) £ 
REP{A2,T), and for every ABox A2 s.t. A2 G REP(A2,T), 
wehaveh'^{A^2) '^ REP(Ai,r). 

Proof. Trivial, by recalling the notion of first-order rewritabil- 
ity of ontology satisfiability in DL-Lite^^, and the fact that 
first-order logic cannot distinguish between isomorphic struc- 
tures. D 

C.l Proof of Theorem lU 

Given a /C, we introduce the pruning 9;c; of the transition sys- 
tem under repair semantics (denoted by T^ for the bold se- 
mantics, and T^ for the certain semantics), as the transition 
system constructed following one between the two repair se- 
mantics, but by relying on the transition relation P-EXEC^c (as 
defined in Section |RT) in place of EXEC^. Differently from 
the standard case, to show that Oac ss T^ (8^; ~ T^ resp.) 
we have to deal with the action and repair step. In particular, 
we reconstruct Lemma lB. 1 | in this two-steps setting. 

Lemma C.l. Let K be a b-KAB (c-KAB respectively) with 
transition system T^ (T^ resp.), and let Qjc be a pruning 
of T^ (T^ resp.). Consider a state {A, m) of T^ (T^ 
resp.), and a state {Ap,mp) of 8k;- If there exists a bijec- 
tion h s.t. Ap = h{A) and rup = h{m) (or, equivalently, 
m — h~^{mp)), then {A,ra) «/i {Ap,rap). 

Proof Let /C ^ (T, Ao,r,n), T^ 



(resp., T^ 



(C, T, S, sqi ahox, = 
(C,r, E, So, a&ox, ^)), and Qjq 



(C, T, Ep, sq: abox, =^p). To prove the lemma, we show that, 
for every state {A',m') s.t. {A,m) ^ {A',m'), there exists 
a state {A'm') and a bijection h' s.t.: 1. {Ap,mp) ^p 
{A'p,m'p); 2. h' extends h; 3. A^ = h'{A'); 4. m^ = 
h'{ra'). To show the claim, we have to separately discuss 
the case in which State(iemp) ^ A, and the case in which 
State(ie77ip) G A. The first case is equivalent for T^ and 
T^, whereas the second case is different, since the two se- 
mantics diverge when it comes to the repair step (b-KABs 
nondeterministically produce one among the possible repairs, 
while c-KABs construct a unique repair corresponding to the 
intersection of possible repairs). 

Base case: trivial, because the transition system and its prun- 
ing start from the same intial state {Aq, 0). 



Case 1 (action step): State(temp) ^ A. First of all, we 
observe that temp is a distinguished constant of Cq, hence 
h{rep) — rep. Since A =h Ap, State(temp) ^ Ap. The 
claim can be then proven exactly in the same way as done for 
Lemma lBTTl noticing however that each ABox A' ?,.t. A ^ A' 
contains State(temp), making the induction hypothesis for 
case 1 inapplicable, and the one for case 2 applicable. 

Case 2 (repair step) - bold semantics: State (temp) G 
A. By hypothesis, Ap = h{A), and since hirep), 
State(temp) G Ap as well. Notice that h is syntactically ap- 
plied over the ABoxes A and Ap without involving the TBox 
T, and therefore it can be applied also when such ABoxes are 
T-inconsistent. On the one hand, by construction of the tran- 
sition system under the bold repair semantics, we therefore 
know that: 

L for every s' s.t. (A, m) ^ s', we have s' = {A',m), 
with A' G REP(A - {State(temp)}, T); 

2. for every s^ s.t. {Ap,mp) =>p s^, we have Sp = 
{A'p,m,p) = {A'p,h{m)), with A'^ G REP{Ap - 
{State{temp)},T). 
On the other hand, since Ap = h{A), from Lemma IC.ll 
we get that for every A" G REP{A - {State(temp)},r), 
h{A") G REP { Ap ~ {State{temp)},T). We therefore ob- 
tain that, for every state {A' , m) s.t. {A, m) => {A' , m), we 
have {Ap,mp) ^p {h{A'),mp) = {h{A'),h{m)). 

Finally, notice that, by construction A' and A' do not con- 
tain State(temp). The claim is therefore proven by induc- 
tively applying Case 1 over A', A' and h. 

The other direction can be proven in the symmetric way. 

Case 2 (repair step) - certain semantics: State(iemp) G 
A. By hypothesis, Ap — h{A), and since h{rep), 
State{tem,p) G Ap as well. Notice that h is syntactically ap- 
plied over the ABoxes A and Ap without involving the TBox 
T, and therefore it can be applied also when such ABoxes are 
T-inconsistent. On the one hand, by construction of the tran- 
sition system under the certain repair semantics, we therefore 
know that: 

L there exists exactly one s' — {A',m) s.t. {A,m) 
where A' = nA'-eREP(A-{State(temp)},T) "4'^; 

2. there exists exactly one s' — {A'nip) 



s , 



{A' h{m)) s.t. {Ap,mp) 



Al. 



s'p, where A'^ 



I l/lj;eREP(Ap-{State(temp)},T) ^p' 

On the other hand, since Ap ~ h{A), from Lemma IC.ll 
we get that A^ G REP(A - {State(temp)},r) iff 
h{A^) G REP{Ap - {State(temp)},r). As a con- 
sequence, Ap = riA'-GREP(A-{State(temp)},T) h{A^) = 

HnA'-eRBp{A-{St,te{terap)},T) ^0 = H^'). Finally, notice 
that, by construction A' and A' do not contain State{temp). 
The claim is therefore proven by inductively applying Case 1 
over A', A'^, and h. D 



With Lemma IC.21 at hand, we can easily reconstruct the 
proof of Theorem 13.31 (given in Section IB. Il l for b- and c- 
KABs. Since ^C^J^ is a fragment of /i£^ , we get the result. 



D KABs under Extended Repair Semantics 
D.l Proof of Theorem 13] 

Given an eb-KAB (ec-KAB respectively) /C, we introduce 
the pruning Q/c of the transition system T^** (T^ resp.), as 
the transition system constructed following the extended bold 
(extended certain, resp.) repair semantics, but by relying on 
the transition relation P-EXEC^: (as defined in Section lBTTI l in 
place of EXECk;. To prove 8;^ ~ ^k: C^ic ~ ^k: rssp.), one 
can follow step by step the line of reasoning of Section IC.ll 
taking into consideration the fact that Viol concept assertions 
are inserted into the ABoxes produced by a repair step. It 
can be easily noticed that such assertions do not introduce 
any additional complication. Remember, in fact, that given 
an ABox A, these assertions are produced by computing the 
set VlOL(yl, T), which is in turn produced by issuing a series 
of closed first-order queries over A, considered as a database 
of facts. Consequently, given two ABoxes A and Ap and a 
bijection h s.t. A^ = h{A), VI0L(A, T) = VIOL(/i(A), T) = 
viOL(Ap,T). 

E Weakly Acyclic KABs 

Weakly acyclic KABs are inspired by weakly acyclic 
tuple-generating dependencies in data exchange 
IFagin et al, 20051. As in data exchange, in our setting 
weak acyclicity is a property defined over a dependency 
graph, constructed from the KAB's specification. In particu- 
lar, the dependency graph captures the transfer of individuals 
from one state to the next state, differentiating between 
the case of copy, and the case of service calls. In fact, the 
latter case leads to possibly introduce fresh values into the 
system. The dependency graph is defined as a variation 
of the definitions given in | Bagheri Hariri et al, 201 3j and 
i Bagheri Hariri etal, 2()T2[ . 

Given a KAB Ki = (T, Aq , F, 11), we define its dependency 
graph G = (V, E) as follows: 

1. Nodes are defined starting from T. More specifically, 
we have one node {N, 1) e y for each concept N in 
T, and two nodes (P, 1), (P, 2) G 1/ for every role P in 
T (reflecting the fact that roles are binary relations, i.e., 
have two components). 

2. Edges are defined starting from the effect specifications 
in r. We discuss the case of two concept assertions, but 
In particular: 

(a) an ordinary edge (iVi, 1) — > {N2, 1) is contained in 
E if there exists an action 7 G F, an effect specifi- 
cation 



[q+] A Q- 



A' 



(b) 



in 7, and a variable or parameter x s.t. Ni{x) ap- 
pears in rew{q^,T) (i.e., in the perfect rewriting 
of (7+ w.r.t. T), and N2{x) appears in A' (similarly 
for nodes corresponding to role assertions), 
a special edge (A^i, 1) — > {N2, 1) is contained in E 
if there exists an action 7 G F, an effect specifica- 
tion 



pears in A' (similarly for nodes corresponding to 

role assertions). 
A KAB K. is weakly acyclic if its dependency graph has no 
cycle going through a special edge. 

E. 1 Proof of Theorem |63] 

To prove the theorem, we resort to the approach discussed in 
I Bagheri Hariri et al., 2013J and [Bagheri Hariri et al., 2012] , 
adapting it so as to deal with inconsistency. More specifically, 
the main steps to prove the results are as follows: 

1. Given a KAB K,, we introduce its consistent approxi- 
mant KP and positive dominant /C+, which incremen- 
tally simplify /C while maintaining the same dependency 
graph. 

2. We show that when fC is weakly acyclic, then it is run- 
bounded. 

3. We show that /C+ "dominates" KP under all semantics 
discussed in the paper, i.e., the active domain of the tran- 
sition system for K, is always contained in the active do- 
main of the transition system for /C+ . 

4. We do the same for fC w.rt. IC, thus transferring the 
weak acyclicity property from /C+ to K,. 

Technically, given a KAB /C = (T, Aq, F, H), we define the 
consistent approximant KP of Al! as a KAB — {Tp, Aq, F^, Fl), 
where Aq and F^ are obtained as follows: 

• AP= AoU{V\o\{d) I 3t G TnUTf s.t. d = LABEL(t)}; 
i.e., Aq saturates Aq with all possible violations of nega- 
tive inclusion and functionality assertions in T. 

• For every action a{pi, . . . ,p„) : {ei, . . . , Cm} G F we 
have a(pi,...,p„) : {e^,, ei, . . . , e^} G F^, where 
Cv = Viol(a;) -^ {Viol (a;)} copies all Viol assertions. 

Notice that the TBox of the consistent approximant is consti- 
tuted by the positive inclusion assertions of the original TBox. 
Starting from the consistent approximant, we define the 
positive dominant /C+ of /C as a KAB = (Tp, A[J, F+, 11+), 
where F+ and 11+ are obtained as follows: 

• For each action a{pi, . . . ,pn) : {ei, . . . , e„i} G F^ we 
have a+() : {e^,...,e+} G F+ where, given e,; = 
[q+] A g- -^ A[, we have e+ = [q+] - A^ 

• For each condition-action rule Q M> a(pi , . . . , p„) G 11, 
we have true M> a+() G 11+. 

It is easy to show that the dependency graphs of K., KP and /C+ 
coincide, and therefore JC is weakly acyclic iff KP is weakly 
acyclic iff /C+ is weakly acyclic. 

Theorem E.l. Given KAB IC, if JC is weakly acyclic then its 
positive dominant A^+ is run-bounded. 

Proof. By compiling away the TBox of /C+ exploiting the 
first-order rewritability of DL-Lite^, the obtained KAB 
exactly corresponds to the notion of positive approxi- 
mant defined for relational Data-Centric Dynamic Sys- 
tems in I Bagheri Hariri et al, 2013) . The proof is then 
directly obtained from the proof of Theorem 4.7 in 
I Bagheri Hariri et al., 2013) . D 



A- 



A' 



in 7, and a variable or parameter x s.t. A^i(a:) 
appears in rew{q^, T), and N2{f{. . . ,x, . . .)) ap- 



To show that Theorem IE. II extends to the KAB itself under 
each of the semantics considered in this paper, we first in- 
troduce the notion of dominance between transition systems. 
Technically, a transition system Ti is dominated by T2 if. 



for every run ti in Ti there exists a run T2 in T2 s.t. for 
all pairs of states Ti(i) and T2(i), we have ahox{Ti{i)) C 
ahox{T2{i)). By definition, we consequently have that if T2 
is run-bounded, then Ti is run-bounded as well. This shows 
that, to prove run-boundedness of a transition system, it is suf- 
ficient to prove that such a transition system is dominated by 
a run-bounded transition system. 

With this machinery at hand, we are now able to prove the 
following two key lemmas, which respectively show that for 
any semantics considered in this paper, the consistent approx- 
imant is dominated by the positive dominant, and dominates 
the original KAB. 

Lemma E.2. For any KAB IC, we have that: 



T^p is dominated by T^+; 
T^p is dominated by Tt.+ ; 
T^p is dominated by T 



K+' 



1. 

2. 
3. 

4. 'V^^^ is dominated by T^^j^; 

5. T'j^p is dominated by T'f^+. 

Proof. We discuss claim 1 and claims 2-5 separately. 

Each claim can be obtained by proving the following stronger 
claim: for every run r in T^p (resp., T^p, T^p, T^^p, 



T^^p), there exists a run r"*" 



in Tf-^. (resp.. 



k:+' 



"^+) s.t. for all pairs of state r(i) 



{Ai,m,) and 



A,, 



,m. 



), we have: 



_ c At- 

mf extends nii ; 

for the mappings mentioned in mf but not in nii, mf 
"agrees" with the maps contained in the suffix of T(i), 
i.e., 

where Q = DOM(?7i+) n IJ^-^^ DOM(mj). 

Claim 1. Thanks to the first-order rewritability of 
DL-Lite^, f<f and JC^ can be correspondingly rep- 
resented as a Data-Centric Dynamic System in the 
sense of i Bagheri Hariri et al, 2013) . The proof is then 
directly obtained from the proof of Lemma 4.1 in 
I Bagheri Hariri et al.,20\2>\. 

Claim 2-5. The claims can be easily shown by observing that 
KP and /C"*" never produce an ABox that is Tp-inconsistent, 
since they only consider positive inclusion assertions. Conse- 
quently, under each of the repair semantics, the repair service 
does not affect the current ABox: it simply generates a unique 
successor that contains the same ABox and service call map 
produced by the previous action step. This shows that T^p == 






T^^p and that T^+ 



^c 






^ ICP ~ ^K" ~ ^ KP """ "'"'■ ^ K+ ~ ^ K+ ~ ^ /C+ ~ ^ K+- 

To get the claims, given the current state {A, m) in T^p, we 

specifically discuss the case in which State(iemp) ^ A, and 

the case in which State(iemp) G A: 

(base case) Trivial, because the initial states of T^p and 
T^+ coincide (they are both equal to (Aq, 0)). 

(case 1 - action step) Since it cannot be the case that the state 
produced after an action step is Tp-inconsistent, then the 
proof exactly follows the one for Claim 1 . 



(case 2 - repair step) Consider r(i) — {A,m) and r+(i) = 
(^+,m"'") s.t.: 1. State{temp) e A and State{temp) G 
A+; 2. A and A+ satisfy condition 1; 3. m, and m"*" 
satisfy conditions 2 and 3. Since A and A+ are 
Tp-consistent, then there is a unique successor {A — 
{5tate{teinp)} , m) of T{i) in T^p, and a unique suc- 
cessor (A^ — {State{t emp)} , m+) of T+(i) in T^+. It 
is trivial to see that these successors satisfy the three con- 
ditions of the claim above. 

D 

Lemma E.3. For any KAB IC, we have that: 



ACP' 



T^ is dominated by T 
T^ is dominated by T^p/ 
T^ is dominated by T^p/ 



7. 

2. 
3. 

4. T^ is dominated by T 

5. T|? is dominated by T 



KP' 

ec 

KP- 



Proof. We discuss each claim separately, by referring to the 
three inductive conditions defined in the stronger claim of the 
proof of Lemma ES] 

Case 1. Trivial, because T^ is a fragment of T^p : it does not 
contain the portions of T^p that are generated starting from 
a T-inconsistent (but always Tp-consistent) ABox. 

Case 2. The base case is trivial, because the initial state of 
T^ is (^0, 0), the initial state of T^p is (Ag, 0), and by con- 
struction Aq <1 A^. 

The inductive case for an action step can be proven exactly 
in the same way discussed in the proof of Lemma lE!2] - Claim 
1. 

We then focus on the inductive case for a repair step. Con- 
sider T{i) = {A,m) in T^ and rP(i) = {AP,mP) in T^p, 
s.t. conditions 1, 2 and 3 hold. By construction, we know 
that: 

• every successor of {A, m) in T^ has the form {A' , m), 
where A' G REP(A - State(temp), T); 

• {AP,m,P) has a unique successor {A^ — 
{State{teinp)} , mP) in T^p. 

Since the service call maps do not change, the successors con- 
tinue to obey to conditions 2 and 3. Furthermore, by defini- 
tion of REP(), we know that A' C A and, by hypothesis, that 
A C_ AP. Consequently, A' C Ap, and therefore also condi- 
tion 1 is satisfied. 

Case 3. The base case and the inductive case for an ac- 
tion step are as in Case 2. We then focus on the inductive 
case for a repair step. Consider r(i) = {A,m) in T^ and 
TP{i) = {AP, mP) in T^p, s.t. conditions 1, 2 and 3 hold. By 
construction, we know that: 

• {A,m) has a unique successor {A',m,) in T^, where 



^ = r\A^eREP{A-{St3te(temp)},T) ^'"' 

{AP,m,P) has a unique successor 
{State{temp)} , mP) in T^ 



{AP 



KP- 



Since the service call maps do not change, the successors con- 
tinue to obey to conditions 2 and 3. Furthermore, by defi- 
nition we have A' C A and, by hypothesis, we know that 
A C AP. Consequently, A C Ap, and therefore also condi- 
tion 1 is satisfied. 



Case 4. This case is directly obtained from Case 2, and from 
the observation that, by constraction, each ABox of the con- 
sistent approximant contains all the possible Viol assertions, 
since they are asserted in the initial state, and copied by means 
of a specific effect contained in each of its actions. Therefore, 
after a repair step, it is guaranteed that the ABox obtained in 
T|-^ is a subset of the corresponding ABox in T|-^p . 

Case 5. This case is directly obtained from Case 3 and the 
observation done for Case 4. D 



The proof of Theorem 14.31 is finally obtained by combin- 
ing Theorem IE. II and the composition of Lemma IE. 3 1 with 
Lemma lETSl thanks to transitivity of domination. 

F KABs with Consistent Query Answering 

As mentioned in the conclusion of the paper, an orthogo- 
nal approach to manage inconsistency would be to make 
the KAB itself inconsistency-tolerant. More specifically, we 
can conceive a KAB that admits inconsistent ABoxes, and 
that replaces the standard query answering service with an 
inconsistency-tolerant querying service, able to extract mean- 
ingful answers even in presence of inconsistent information. 

In the following, we rely for this purpose on the stan- 
dard notion of consistent query answering in databases 
I jBertossi, 2006| , which has been extended to the knowl- 
edge base setting in ]Lembo et ah, 20101. More specifically, 
we introduce the following query answering service, which 
corresponds to the notion of AR-consistent entailment in 
I jLemboefa/., 20101 (Definition 3). 

Given an UCQ q, the consistent-query answer to q over 
(T, A) is the set cqa{q,T,A) of substitutions a of the free 
variables of q with constants in AD0M(74) s.t., for every re- 
pair Ar G REP{A, T), qa evaluates to true in every model of 
(T, Ar). Observe that, when A is T-consistent, the consistent- 
query answers coincide with the certain answers. 

Like for certain answers, we extend the notion of 
consistent-query answer to ECQ as follows: given an ECQ 
Q, the consistent-query answer to Q over (T, A), is the set 
CQA{Q,T,A) of tuples of constants in ADOM(A) defined 
by composing the consistent-query answers cqa{q,T,A) of 
UCQs q through first-order constrticts, and interpreting exis- 
tential variables as ranging over ADOM(yl). 

F.l Inconsistency-tolerant KABs 

We introduce the inconsistency-tolerant semantics for KABs 
as the variation of the standard semantics where: 

• all queries are answered using consistent-query answer- 
ing instead of certain answers (i.e., by replacing every 
ANS (Q, T, A) with CQA(g, T, A))\ 

• an action with parameters is applied even if the result- 
ing ABox is T-inconsistent (in fact, consistent-query an- 
swering makes it possible to query such an inconsistent 
ABox in a meaningful way). 

We call it-KAB a KAB interpreted under the inconsistency- 
tolerant semantics. Given an it-KAB /C, we denote with TJi 
the transition system describing its execution semantics. 

In order to specify temporal/dynamic properties over it- 
KABs, also the ^iC^ logic must be adapted, making it able 



to query even T-inconsistent ABoxes in a meaningful way. In 
particular, we introduce the logic /i£^ that is syntactically 

equivalent to ^lC)^ , but redefines the semantics of local EQL 
queries Q as follows: 



{Q)lv 



{s e S I CQA{Qv,T, abox{s)) = true} 



F.2 Veritication of Inconsistency-Tolerant KABs 

In this Section, we show that the decidability results presented 
for the repair semantics seamlessly apply to it-KABs as well. 

Lemma F.l. Consider two knowledge bases (T, Ai) and 
(r, ^2), s.t. there exists a bijection h with A2 = h{Ai). For 
every EQL query q, we have (di, . . . , d„) G CQA{q, T, Ai) 

iff{h{di), ..., h{dn)) e cQA(/i(g), r, h{A^)). 

Proof. This result is a direct consequence of the combination 
ofLemmas lA.ll and lC.il D 

Theorem F.2. Verification of tiL^ properties over run- 
bounded it-KABs is decidable. 

Proof. By inspecting the proofs of Theorem l3 . 3 1 ( given in Ap- 
pendix IB.lt , we observe that the possibility of constructing 
a faithful finite-state abstraction for a run-bounded KAB de- 
pends on the fact that its execution semantics produce bisimi- 
lar runs starting from isomorphic states. This key property, in 
turn, relies on the fact that the query answering service does 
not distinguish between isomorphic states. Since this holds 
for consistent-query answers as well (see Lemma jFTt , we can 
follow, step-by-step, the same proof given in Appendix IB. II 
D 

Theorem F.3. Given a weakly acyclic KAB /C, we have that 
T^ is run-bounded. 

Proof. Consider the consistent approximant K7 of /C. From 
Lemma 1221 we know that T|-p is dominated by T^+. By 
inspecting the proof of this claim, which in turn refers to the 
proof of Lemma 4.1 in iBa gheri Hariri et al, 2013| , we know 
that this is the case because, state by state, the answers ex- 
tracted by Kf are contained in the ones extracted by /C+. 

We now observe that, by definition, given a TBox 
T, an ABox A and an EQL query Q, CQA{Q,T,A) C 



CQA{Q,Tp,A) 



AJ<s{Q,Tp,A). The equality 



CQA{Q,Tp,A) = ANS{Q,Tp,A) holds because every 
ABox is consistent with Tp, and the only repair of a 
consistent ABox is the ABox itself. 

Consequently, we can apply the same line of 
reasoning used in the proof of Lemma 4.1 in 



I Bagheri Hariri et al., 2013), showing that T^ is domi 



nated by T^p. By applying Lemma |E72| and transitivity of 
domination, this in turn implies that T^ is dominated by 
T^+ . By recalling Theorem lE.il we finally get the result. D 



